Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
965 Views 5 Replies Latest reply: Jun 4, 2013 5:56 PM by Kary Tankink RSS
Dvanmeter Apprentice 341 posts since
Feb 9, 2005
Currently Being Moderated

Apr 2, 2013 4:07 PM

Help with creating a signature

Ok, so I am needing a little guidance on what I am missing here.

 

I am trying to create a signature to protect a certain service/process like McAfee does for its own services using HIPS.  I am trying to create a rule to prevent users from changing the statup of the service,  modification of the files and termination of the process.  I am not seeing where to prevent termination of the service and my file mod rules dont appear to be working.  The service mod seems to be working.  Any help would be appreciated.

Attachments:
  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    Currently Being Moderated
    1. Apr 3, 2013 11:01 AM (in response to Dvanmeter)
    Re: Help with creating a signature
    I am not seeing where to prevent termination of the service

    Use the PROGRAM engine (open with terminate and open with modify directives). 

     

    Page 116 of:

    PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide

     

     

    my file mod rules dont appear to be working

    I'm not exactly sure what protection you're trying to gain with protecting myservice.exe, but if you include the Destination File parameter, then that SubRule will only work for move/rename operations of the file specified.  Try without the Destination File parameter, then you shouldn't be able to perform any of the selected directive operations against the filename.

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    Currently Being Moderated
    3. May 31, 2013 6:18 PM (in response to Dvanmeter)
    Re: Help with creating a signature

    I'm not aware of any location where customer's post their custom signatures.  If any place, I would assume it would be on the McAfee community forums here.

     

    Just a quick signature test, I created this signature to:

     

    1. Prevent the Windows Spooler service from being stopped.

      ePolicy Orchestrator 5.0.0 (Build_ 1160)_2013-05-31_18-10-32.jpg

    2. Prevent spoolsv.exe from being terminated by Windows Task Manager.


      ePolicy Orchestrator 5.0.0 (Build_ 1160)_2013-05-31_18-14-17.jpg

     

     

     

    *NOTE: Further testing will need to be done to make sure this doesn't cause any issues though.

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    Currently Being Moderated
    5. Jun 4, 2013 5:58 PM (in response to Dvanmeter)
    Re: Help with creating a signature

    On my Win7 x64 system, I performed all these operations you mentioned just fine with these rules.  If you continue to have issues, I would suggest opening a Service Request with McAfee Support to troubleshoot further.

     

    • For file protection, the **\ was required.
    • For program protection, I remove the "open_with_any" as it triggered way too many times on just normal functionality by other applications.
    • For program protection, I used taskmgr.exe and taskkill.exe to test with.  Both were blocked.
    • For service protection, I was blocked by setting Automatic, Manual, or  Disabled.  I did encounter some Windows errors testing with Automatic Delayed Start, but it wasn't related to HIPS.

     

    2013-06-04 17_50_15-ePolicy Orchestrator 5.0.0 (Build_ 1160).jpg

    2013-06-04 17_49_53-ePolicy Orchestrator 5.0.0 (Build_ 1160).jpg

    2013-06-04 17_49_24-ePolicy Orchestrator 5.0.0 (Build_ 1160).jpg

     

    Message was edited by: ktankink.   Corrections to protections (in italics). on 6/4/13 5:58:34 PM CDT

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points